Third-Party Patching Conundrum

Enterprises have to weigh the risks and rewards of using non-Microsoft software patches.

The emergence of a high-profile group of security professionals promising third-party software fixes during zero-day attacks has rekindled a debate on the merits—and risks—associated with deploying unsupported product updates.

The Zeroday Emergency Response Team, or ZERT, stepped out of stealth mode Sept. 22 with a stopgap patch for a VML (Vector Markup Language) flaw that was the target of drive-by malware downloads, and, with a roster of well-respected security professionals on board, the concept of using a temporary fix ahead of Microsofts official update gained instant credibility.

Marcus Sachs, a former White House information security expert who agreed to serve as corporate evangelist for ZERT, said third-party mitigations will become even more important in what he described as "a nasty zero-day world."

"This is just another arrow in the quiver. These guys [in ZERT] are some of the best-known reverse engineers and security researchers," said Sachs, in Washington, in an interview with eWeek. "Its a tightknit group that has worked for years to make the Internet a safer place. This isnt a patch created by some guy in a basement. Its something that has been tested as rigorously as humanly possible."

Sachs, who serves as a deputy director in the Computer Science Laboratory at SRI International, stressed that third-party patches should always carry "buyer beware" tags because they are unsupported but said he believes IT administrators should strongly consider testing and deploying such updates during emergencies.

"In this case, Microsoft had not yet issued a patch, and we had already confirmed zero-day attacks were spreading in the wild," Sachs said. "Were not telling anyone to use it; were just offering it as an alternative."

The ZERT patch is the third instance this year in which a third-party fix was pushed out ahead of an official Microsoft update. In January, at the height of the WMF (Windows Metafile) virus attack, reverse-engineering guru Ilfak Guilfanov created and distributed a hotfix that was endorsed by The SANS Institutes Internet Storm Center, a group that tracks malicious Internet activity.

In March, two well-respected security companies—eEye Digital Security and Determina—shipped updates for Microsofts Internet Explorer to cover a code execution hole that was being attacked.

eEye, in Aliso Viejo, Calif., claims its patch was downloaded more than 150,000 times in a two-week span and said feedback from IT professionals confirmed there was a desperate need for third-party patches in advance of an official patch, depending on the severity of the public exploit.

"Is there a need for third-party patches? Absolutely," said eEye CEO Ross Brown. "Most of the customers that downloaded our patch [in March] were from corporate domains. They were testing and deploying on thousands of systems. We know for a fact that people found it valuable enough to use it."

Joe Stewart, a reverse-engineering specialist at SecureWorks, in Chicago, said he volunteered his services to ZERT willingly out of frustration with Microsofts slow response to the threat.

"Microsoft needs to start paying attention and recognize that theres a need for an out-of-band patch," Stewart said. "Its somewhat irresponsible to tell customers to wait two weeks for Patch Tuesday while computers are being hosed with malware."

Weighing Risks

However, not everyone is buying into the third-party-patching hype. "I will not use the unofficial patch, nor can I think of anyone I would recommend it to," said Jesper Johansson, a former Microsoft security strategist now working as principal security program manager for a major e-commerce company.

"Personally, I worry about putting un-verified and untrusted binaries on my system and about the likelihood that they are going to be any higher-quality than the ones Microsoft releases," Johansson added.

Johansson said he believes the decision to use a third-party fix is a risk management issue that has to be weighed properly. For a business with high security requirements, an unofficial patch could be practical. "If your risk and the cost of the attack is very high, then you may want to consider the unofficial patch, but I cannot in the best conscience recommend it right now," Johansson said.

Susan Bradley was faced with that exact scenario during the recent VML crisis. As a partner and self-described "chief cook and bottle washer" at Fresno, Calif., accounting firm Tamiyasu, Smith, Horn and Braun, Bradley weighed the risks and opted to use Microsofts prepatch mitigation and avoid the ZERT fix altogether.

"For me, its a support issue. I cant install something on my systems that is unsupported," Bradley said. "Im just not comfortable with a third-party patch that takes a machine out of support."

"Its a risk management issue for us. I just cant take the chance and bet on an unofficial fix," she added. "The cost of putting my network out of support is just too high."

For Dave Goldsmith, president of New York-based penetration-testing company Matasano Security, a third-party patch should be considered only as a "last-ditch option" if a vulnerability is critical enough that all known mitigations are insufficient.

"In that scenario, I would recommend it for enterprise clients, provided they are comfortable with any risks associated with potentially violating support contracts," Goldsmith said. "They would need to test it extensively first, [but] the real problem with this is that an enterprise has little recourse if the patch breaks things or is, in fact, malicious."

Third-Party Role

According to ZERT spokesperson gadi Evron, the group plans to release VML patches for out-of-support Windows versions, offering an option for businesses still using older operating system versions because of application compatibility concerns.

ZERT, which boasts a lineup of volunteers that includes Halvar Flake, CEO and head of research at Sabre Security; Paul Vixie, founder of the Internet Software Consortium; Roger Thompson, chief technology officer of Exploit Prevention Labs; and Florian Weimer, a German computer expert specializing in Linux and DNS (Domain Name System) security, will roll out hotfixes for Windows 98; Windows ME; Windows NT and Windows 2000; pre-Service Pack 4.

Businesses running those operating system versions now have to pay for custom support from Microsoft because the software maker does not offer free patches for out-of-support products.

There is a general feeling that ZERTs patches for older operating system versions could prove very valuable, but, as Johansson said, "It is misguided to think that patching a single issue will prolong the life of a system designed to a threat model that was accurate eight to 10 years ago."

"I cant recommend anyone to patch, or even stick with, an out-of-support operating system," Johansson said. "The fact remains that this is only one issue those systems are vulnerable to. They need to be replaced with up-to-date systems. It is not prudent risk management, in my opinion."

According to eEyes Brown, the big win from the ZERT initiative is an acknowledgment from Microsoft that its rigid monthly patch cycle is not always a practical approach to securing its software for customers.

"I have no doubt that ZERT pushed Microsoft to go out of band [with Microsofts VML patch released Sept. 26]," Brown said. "It puts pressure on Microsoft to be more responsive to serious issues. They wouldnt have gone out of cycle if ZERT wasnt there, offering an alternative that they dont like."

Whos who in ZERT?

A few key volunteers in the Zeroday team

* Marcus Sachs Director of The SANS Internet Storm Center and a former White House IT security consultant

* Dan Hubbard VP of security and technology research at Websense

* Joe Stewart Reverse-engineering guru and senior security researcher at SecureWorks

* Ilfak Guilfanov Author of the IDA Pro binary analysis tool

* Paul Vixie Founder of the Internet Software Consortium and author of the BIND DNS

Source: eWEEK reporting